Biometric identification device with smartcard capabilities

ABSTRACT

A smartcard-enabled BPID Security Device integrates a smartcard reader with a biometric authentication component to provide secured access to electronic systems. The device allows for an individual to insert a smartcard into an aperture in the physical enclosure of the BPID Security Device, allowing the smartcard and the BPID Security Device to electronically communicate with each other. The smartcard-enabled BPID Security Device is based on a custom application specific integrated circuit that incorporates smartcard terminals, such that the BPID Security Device can communicate directly with an inserted smartcard. In an alternative embodiment of the invention, the smartcard-enabled BPID Security Device is based on a commercial off-the-shelf microprocessor, and may communicate with a commercial off-the-shelf microprocessor smartcard receiver using a serial, USB, or other type of communication protocol. The device allows for enrolling a user&#39;s credentials onto the smartcard-enabled BPID Security Device. The device also allows for authenticating an individual using the smartcard-enabled BPID Security Device.

RELATED U.S. APPLICATION DATA

This application claims priority under 35 U.S.C. 119(e) of provisionalpatent application Ser. No. 60/665,043 filed Mar. 24, 2005, entitled,“Biometric Identification Device with Smartcard Capabilities,” which ishereby incorporated by reference in its entirety.

BACKGROUND OF THE INVENTION

1. Field of the Invention

This invention relates to the field of portable, electronic personalidentification and authentication devices. This invention relates morespecifically to electronic devices using biometric and/or smartcardauthentication technologies.

2. Related Art

U.S. Pat. No. 6,991,174 to Zuili discloses a method and apparatus forauthenticating a shipping transaction. The disclosed apparatus, which isnot covered by the claims of the patent, is a portable smartcard readerincorporating a number of different authentication mechanisms, includinga personal identification number (PIN), asymmetric cryptographic keys,and/or biometrics. The apparatus may be used autonomously or inconjunction with other electronic devices, such as a personal digitalassistant (PDA), cellular telephone, or remote control. The apparatus isdesigned for use in a variety of applications, including computernetworks, televisions and cable access, and payment transactions. Thepatented invention is a method of specifically authenticating a shippingtransaction by using a smartcard and a smartcard reader, acquiringbiometric information and shipping information from a customer,encrypting the shipping information using the biometric information,storing the encrypted shipping information on the smartcard and in adatabase, permitting the customer to access the database in order tochange the shipping information, and requiring the customer to resubmitbiometric information in order to authenticate the shipping transaction.

U.S. Pat. No. 6,016,476 to Maes, et al., discloses a portable PDA withbiometric authentication capability. The PDA is further capable ofreading and writing information to smartcards, magnetic stripe cards,optical cards and/or electronically alterable read-only memory (EAROM)cards. The PDA is intended for use in payment transactions, and cancommunicate with other electronic devices, such as a point of saleterminal, through either wired or wireless transceivers.

Research In Motion, Ltd. (RIM) produces and sells a device called “TheBlackBerry® Smart Card Reader,” which is a portable smartcard readerthat provides two-factor authentication, symmetric cryptographic keysand the smartcard, for users attempting to access or use BlackBerrydevices. Once the smartcard and the cryptographic key has been processedon the device, the device communicates via Bluetooth wireless technologywith the BlackBerry device, enabling users to transmit secure e-mail.The device does not include biometric authentication.

Key Ovation produces the “Goldtouch ErgoSecure Smart Card and BiometricKeyboard SF2.4.” This device is a standard ergonomic computer keyboard,which incorporates both a smartcard reader and an Authentec fingerprintsensor. It is not portable, nor does it appear to possess wirelesstechnology.

NECESSITY OF THE INVENTION

Companies, governments, and other organizations possess a variety ofphysical and digital resources, which are often valuable and must beprotected. Some of these resources are physical, such as particularbuildings, offices, or grounds, while others are more intangible, suchas databases, computer files, or other digital data. As a naturalconsequence of wishing to protect the resource, organizations eitherimplicitly or explicitly develop an associated security policy orstructure that specifies rules for access to the resource. When anindividual wants access to a protected resource, the organization'ssecurity policy will—again implicitly or explicitly—require theindividual to identify himself in an acceptable manner, and will thenauthenticate the identified individual against the security policy. Ifthe identified and authenticated individual has privileges to theresource he is permitted access.

Both government agencies and private industry have developed a number ofdifferent technologies to implement these security policies. One suchtechnology is the “proximity card,” commonly used to secure physicalaccess to commercial buildings and offices. The proximity card istypically the size of a credit card, and contains electronics sufficientto both store and wirelessly transmit a unique identifier to a receiverlocated at the access point. The proximity card gains its name from itscharacteristic type of wireless transmission, allowing the user tosimply hold the card close (typically within a few inches) to the accesspoint, without inserting the card into a reader. When a proximity cardis issued to an individual, a centralized database associates the uniqueidentifier on the card with that individual; when the individualprovides the proximity card to gain access to the resource, theidentifier is transmitted to the access point, and the association isverified. Once the unique identifier has been programmed onto theproximity card, it cannot be altered, nor can additional data be addedto the card.

Developers have been equally prolific in generating authenticatingtechnologies for access to computers, networks, and other digitalresources. The simplest examples are passphrases or personalidentification numbers (PINs) that the individual must supply beforebeing granted access to the resource. Virtually all e-mail systems areprotected this way; another common example is the Windows® log-inprocess, which prompts the user to enter a username and password. Inmore advanced systems, individuals may be provided cryptographic keys,such as one half of a public key/private key pair, or a digitalcertificate. These technologies similarly rest on an individual'sprevious association with the particular credential, such as thepassphrase or cryptographic key.

One technology frequently used to accomplish one or both objectives ofphysical and digital access is the “smartcard.” Similar to the proximitycard, the smartcard is in the form-factor of a credit card. Thesmartcard, however, generally contains a small integrated circuit withsufficient processing power to perform a number of different tasks,including cryptography and two-way transmission. The smartcard can storeunique identifiers, such as cryptographic keys, passphrases, and otheruser data, as well as be transported and used to obtain access tophysical resources. One smartcard can provide storage and authenticationfor a number of different resources, each of which may have a differentidentifier. Rather than wirelessly transmitting credentials, such as theproximity card, the smartcard uses contact-based transmission, andrequires the user to insert the smartcard into a reader at the accesspoint. Smartcard readers may be attached to electronic resources, suchas a computer or network terminal, or physical resources, such as doors,gates, etc. Because of the two-way transmission capability, the datastored on a smartcard may be altered or updated through the smartcardreader. Smartcards are extremely popular; for example, the Department ofDefense (DoD) currently uses the smartcard-based Common Access Card(CAC) to grant access to its organizations and resources. The CACretains all of the functions and features of the traditional smartcard,and incorporates a photograph of the bearer on the outside of the card,to allow for both visual and electronic identification andauthentication.

Each of these security technologies, while very useful, is susceptibleto use by an impostor. If an individual loses his proximity card orsmartcard, anyone who picks it up may use it to access the resource.Biometric technology, which authenticates an individual by use ofphysical characteristics such as fingerprints, can largely eliminatethis risk. In the case of fingerprint recognition, an individual'sfingerprint is electronically scanned and stored as a numeric template.When the individual wishes to access the resource, the finger isrescanned and digitally compared to the stored fingerprint to determinea match. Biometrics offer a clear advantage over previoustechnology—while a smartcard may be easily stolen and used by anunauthorized individual, an electronic forgery of a fingerprint is muchmore difficult to achieve.

The Privaris® BPID™ Security Device is one type of authentication devicebased on biometric technology, and is much younger technology than thesmartcard. The BPID Security Device is a handheld, portable electronicdevice, containing a fingerprint scanner, two-way wirelesscommunications, memory, and sufficient processing power to performcryptographic functions and on-device fingerprint authenticationalgorithms. Much like the smartcard, the BPID Security Device can storeunique identifiers, including cryptographic keys and passphrases, andcan be used to authenticate an individual to a number of differentresources. The BPID Security Device, however, possesses significantlymore processing power and memory than the traditional smartcard, in partbecause of the fingerprint template storage and comparisons doneon-board the device. Furthermore, the BPID Security Device is based onwireless technology, so it can use the same protocols as used inproximity cards, newer standards like the Bluetooth® protocol, or both.Data on the BPID Security Device can be transmitted or received withoutinserting the device into a reader, which, for example, allowsindividuals to authenticate faster at a physical access point than theycould using a smartcard.

Since the advent of the smartcard, a number of organizations haveattempted to create an identification system common to multipleorganizations that utilized common information contained on thesmartcard, while at the same time increasing the security of thisinformation, and insuring positive identification of the individualusing the smartcard, prior to granting access to approved resources.Shortage of memory, limited range for contactless applications, the needfor multiple cards to accommodate existing building access systems, theneed for reliable biometric authentication, and the difficultiesassociated with updating the data on the card all became issues. Whilethe BPID Security Device can largely address these concerns, it does notpossess the form-factor of the smartcard, and therefore does not lenditself to the visual identification component of the CAC. Nor does theBPID Security Device contain a contact-based transmission mechanismallowing it to interact with systems currently using smartcard readers.What is needed is an apparatus and methods that combines the visualidentification aspect of the smartcard with the biometric and wirelesscomponents of the BPID Security Device, which can allow reversion to acontact-based smartcard system when necessary.

SUMMARY OF THE INVENTION

The present invention discloses apparatuses and methods for integratingsmartcard and BPID Security Device technology. The primary apparatus ofthe invention, hereinafter termed a “smartcard-enabled BPID SecurityDevice,” integrates a smartcard reader with the BPID Security Devicesuch that an individual may insert the smartcard into an aperture in thephysical enclosure of the BPID Security Device, allowing the smartcardand the BPID Security Device to electronically communicate with eachother. In one primary embodiment of the invention, the smartcard-enabledBPID Security Device is based on a custom application specificintegrated circuit (ASIC) that incorporates smartcard terminals, suchthat the BPID Security Device can communicate directly with an insertedsmartcard. In an alternative embodiment of the invention, thesmartcard-enabled BPID Security Device is based on a commercialoff-the-shelf (COTS) microprocessor, and may communicate with a COTSsmartcard receiver using a serial, USB, or other type of communicationprotocol. The first method of the invention is a process for enrolling auser's credentials onto the smartcard-enabled BPID Security Device. Thesecond method of the invention is a process for authenticating anindividual using the smartcard-enabled BPID Security Device.

DETAILED DESCRIPTION OF THE DRAWINGS

FIG. 1 depicts the smartcard-enabled BPID Security Device

-   100—BPID Smartcard Security Device-   101—physical enclosure-   102—aperture for receiving a smartcard-   110—strap-   310—fingerprint sensor of the BPID Security Device

FIG. 2 depicts a smartcard being inserted into the smartcard-enabledBPID Security Device

-   100—BPID Smartcard Security Device-   101—physical enclosure-   102—aperture for receiving a smartcard-   200—smartcard

FIG. 3 depicts a smartcard inserted into the smartcard-enabled BPIDSecurity Device

-   100—BPID Smartcard Security Device-   101—physical enclosure-   102—aperture for receiving a smartcard-   200—smartcard

FIG. 4 is a schematic representation of the smartcard-enabled BPIDSecurity Device

-   100—BPID Smartcard Security Device-   210—smartcard reader-   211—smartcard terminal-   212—external device terminal-   300—biometric authentication component

DETAILED DESCRIPTION OF THE INVENTION

The following detailed description is of the best presently contemplatedmode of carrying out the invention. This description is not to be takenin a limiting sense, but is made merely for the purpose of illustratinggeneral principles of embodiments of the invention.

The primary apparatus of the invention is called a “smartcard-enabledBPID Security Device.” As seen in FIG. 1, the BPID Smartcard SecurityDevice 100 may be attachable to a strap 110, so that it may be wornaround an individual's neck or used in some other convenient carryingmethod. The BPID Smartcard Security Device 100 comprises a physicalenclosure 101 with an aperture 102 for receiving a smartcard, abiometric authentication component 300 (see FIG. 4), and a smartcardreader 210 (see FIG. 4). The fingerprint sensor 310 of the BPID SecurityDevice is made externally available through the physical enclosure 101.As seen in FIGS. 2 and 3, the aperture 102 may be oriented in thephysical enclosure 101 such that a picture or photograph on the outsideof a smartcard 200, such as the CAC, is easily visible to allapproaching the individual.

FIG. 4 is a schematic representation of the smartcard-enabled BPIDSecurity Device, without the physical enclosure and aperture. Thesmartcard reader 210 may be any existing technology that incorporatescontact-based terminals 211 for receiving and transmitting electronicdata smartcards (hereinafter “smartcard terminal”), and at least oneadditional terminal 212 for transmitting and receiving data to anexternal device (hereinafter “external device terminal”). The biometricauthentication component 300 and the smartcard reader 210 are locatedwithin the physical enclosure 101, such that a smartcard 200 insertedinto the aperture 102 will physically contact the smartcard terminal 211and may use existing smartcard protocols to transmit information to andfrom the smartcard reader 210. The smartcard reader 210 is physicallycoupled to the biometric authentication component 300, such that theexternal device terminal 212 allows the smartcard reader 210 tocommunicate with the biometric authentication component 300.

In the first embodiment of the apparatus, the biometric authenticationcomponent 300 may communicate with the external device terminal 212 overa standard communications protocol, such as, but not limited to, RS232(now known as EIA232) or Universal Serial Bus (USB). In an alternativeembodiment of the apparatus, the biometric authentication component 300and the smartcard reader 210 will coexist on a secure microprocessor(hereinafter “BPID Security Device/reader”), such that communicationsbetween the external device terminal 212 and the biometricauthentication component 300 will be physically and electronicallylocated on the same ASIC. In this embodiment of the invention, the BPIDSecurity Device/reader will be located within the physical enclosure 101such that a smartcard 200 inserted into the aperture 102 of the physicalenclosure 101 will directly contact the smartcard terminal 211 of theBPID Security Device/reader. This creates enhanced security for the BPIDSmartcard Security Device 100, as the ASIC may be physically andelectronically secured.

The first method of invention permits an individual with a smartcard toenroll himself into the BPID Smartcard Security Device 100. First, theindividual places a smartcard 200 into the aperture 102 of the physicalenclosure 101 such that the smartcard 200 contacts the smartcardterminal 211 of the reader 210. The individual then activates power tothe smartcard-enabled BPID Security Device 101 and the smartcard reader210 reads the smartcard's serial number. The smartcard reader 210transmits the serial number to the biometric authentication component300 using the external device terminals 212. The biometricauthentication component 300 verifies that it has not previously beenenrolled with the specific smartcard 200. The biometric authenticationcomponent 300 then connects to a BPID Security Device enrollment stationand enrolls the individual pursuant to its regular procedure. During theenrollment procedure, the biometric authentication component 300 storesthe individual's biometric data and a PIN, which are then associated inthe memory of the biometric authentication component 300 with thesmartcard's 200 serial number. The biometric authentication component300 also transmits the individual's biometric data and the PIN to thesmartcard reader 210 via the external device terminals 212, and thesmartcard reader 210 writes the biometric data and the PIN to thesmartcard 200 via the smartcard terminal 211. The BPID SmartcardSecurity Device 100 is now enrolled and the user may remove thesmartcard from the aperture 102 of the physical enclosure 101.

The second method of the invention permits an individual to authenticatehimself to a BPID Smartcard Security Device 100 he has previouslyenrolled in. First, the individual places a smartcard 200 into theaperture 102 of the physical enclosure 101 such that the smartcard 200contacts the smartcard terminal 211 of the reader 210. The individualthen activates power to the smartcard-enabled BPID Security Device 101and the smartcard reader 210 reads the smartcard's serial number. Thesmartcard reader 210 transmits the serial number to the biometricauthentication component 300 using the external device terminals 212.The biometric authentication component 300 verifies that it haspreviously been enrolled with the specific smartcard 200 and requeststhe individual to authenticate himself to the biometric authenticationcomponent 300 according to its standard procedure. If the biometricauthentication component 300 successfully authenticates the individual,the biometric authentication component 300 locates the PIN associatedwith the smartcard's 200 serial number and transmits the PIN via theexternal device 212 to the smartcard reader 210. The smartcard reader210 then transmits the PIN to the smartcard 200 via the smartcardterminal 211.

If the smartcard 200 possesses “match-on-card” capabilities, i.e. thesmartcard is capable of matching fingerprint templates to those storedon the card, the biometric authentication component 300 locates thefingerprint template associated with the smartcard's 200 serial numberand transmits the template via the external device 212 to the smartcardreader 210. The smartcard reader 210 then transmits the template to thesmartcard 200 via the smartcard terminal 211. If the smartcard 200matches both the transmitted PIN and fingerprint template to its storedPIN and template, it 200 transmits its stored electronic data to thesmartcard reader 210 via the smartcard terminal 211, which subsequentlytransmits the stored electronic data to the biometric authenticationcomponent 300 via the external device terminal 212. The biometricauthentication component 300 may now use the electronic data stored onthe smartcard 200 as necessary.

If the smartcard 200 does not possess “match-on-card” capabilities, thesmartcard 200 will only match the transmitted PIN to its stored PIN. It200 will then transmit the stored fingerprint template to the smartcardreader 210 via the smartcard terminal 211, which in turn transmits thefingerprint template to the biometric authentication component 300 viathe external device terminal 212. The biometric authentication component300 locates the fingerprint template associated with the smartcard's 200serial number and compares the stored template to the templatetransmitted from the smartcard 200. If the two match, the biometricauthentication component 300 prompts the smartcard reader 210 totransmit its stored electronic data to the smartcard reader 210 via thesmartcard terminal 211. The smartcard reader 210 then transmits thestored electronic data to the biometric authentication component 300 viathe external device terminal 212. As above, the biometric authenticationcomponent 300 may now use the electronic data stored on the smartcard200 as necessary.

Those having ordinary skill in the art will recognize that the precisesequence of steps may be altered such that they result in the samefunctional outcome. Many improvements, modifications, and additions willbe apparent to the skilled artisan without departing from the spirit andscope of the present invention as described herein and defined in thefollowing claims.

1. An autonomous, portable apparatus for identifying and authenticatingelectronic user credentials, comprising: a. a physical enclosure with anaperture for receiving a smartcard; b. a reading/writing means forreading and writing to a smartcard, such that when a smartcard is placedinto said aperture of said physical enclosure, the smartcard connects tosaid reading/writing means such that the smartcard can be read orwritten; and c. a personal authentication device comprising anauthentication means for biometric authentication, a wirelesstransceiver, a communication means for communicating with saidreading/writing means, and a processing means for electronic dataprocessing and storage, located inside said enclosure and coupled tosaid reading/writing means.
 2. The apparatus of claim 1, wherein saidphysical enclosure is tamper-evident.
 3. The apparatus of claim 1,wherein said physical enclosure is tamper-resistant.
 4. The apparatus ofclaim 1, wherein said aperture of said physical enclosure is orientedsuch that when a smartcard is inserted into said aperture, the externalsurface of the smartcard is visible.
 5. The apparatus of claim 1,wherein said reading/writing means and said personal authenticationdevice are implemented together on an application-specific integratedcircuit, such that communications between said reading/writing means andsaid personal authentication device are secure and tamper-resistant. 6.The apparatus of claim 1, wherein said reading/writing means and saidpersonal authentication device communicate using serial communications.7. The apparatus of claim 1, wherein said reading/writing means and saidpersonal authentication device communicate using a Universal Serial Bus.8. A method for associating a user with an autonomous, portableapparatus for identifying and authenticating electronic usercredentials, comprising the steps of: a. providing the autonomous,portable apparatus which comprises: i. a physical enclosure with anaperture for receiving a smartcard; ii. a reading/writing means forreading and writing to a smartcard, such that when a smartcard is placedinto said aperture of said physical enclosure, the smartcard connects tosaid reading/writing means such that the smartcard can be read orwritten; and iii. a personal authentication device comprising anauthentication means for biometric authentication, a wirelesstransceiver, a communication means for communicating with saidreading/writing means, and a processing means for electronic dataprocessing and storage, located inside said enclosure and coupled tosaid reading/writing means; b. placing a smartcard into said apertureformed in said physical enclosure of the autonomous, portable apparatus;c. using said reading/writing means to read said a serial numberassigned to said smartcard; d. transmitting said serial number to saidpersonal authentication device; e. verifying that said personalauthentication device has not previously enrolled said smartcard usingsaid serial number; f. connecting said personal authentication device toan external enrollment station; g. using said external enrollmentstation to acquire a biometric template and a personal identificationnumber from the user; h. transmitting said biometric template and saidpersonal identification number to said personal authentication device;i. storing said biometric template and said personal identificationnumber to said personal authentication device; j. associating saidserial number with said biometric template and said personalidentification number in said personal authentication device; k.transmitting said biometric template and said personal identificationnumber from said personal authentication device to said smartcard; andl. storing said user's biometric template and personal identificationnumber on said smartcard.
 9. A method for authenticating a user to adevice using an autonomous, portable apparatus for identifying andauthenticating electronic user credentials, comprising the steps of: a.providing the autonomous, portable apparatus which comprises: i. aphysical enclosure with an aperture for receiving a smartcard; ii. areading/writing means for reading and writing to a smartcard, such thatwhen a smartcard is placed into said aperture of said physicalenclosure, the smartcard connects to said reading/writing means suchthat the smartcard can be read or written; and iii. a personalauthentication device comprising an authentication means for biometricauthentication, a wireless transceiver, a communication means forcommunicating with said reading/writing means, and a processing meansfor electronic data processing and storage, located inside saidenclosure and coupled to said reading/writing means; b. placing asmartcard into said aperture formed in said physical enclosure of theautonomous, portable apparatus; c. acquiring a biometric sample and apersonal identification number from the user using the personalauthentication device; d. comparing said acquired biometric sample andpersonal identification number to a previously stored biometric sampleand personal identification number; and e. authenticating the user ifsaid acquired biometric sample and personal identification number matchsaid previously stored biometric sample and personal identificationnumber.
 10. The method of claim 9 wherein the comparison step isperformed on the smartcard.
 11. The method of claim 9, wherein thecomparison step is performed on the personal authentication device.